Algorithm for factoring some RSA and Rabin moduli 
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^ I In this paper we present a new efficient algorithm for factoring the RSA and the Rabin 

moduh in the particular case when the difference between their two prime factors is bounded. 
^1 As an extension, we also give some theoretical results on factoring integers. 
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X '. 1 Introduction 

The security of the RSA [11], and Rabin [10] cryptosystems is based on the hardness 
of factoring integers. The secret keys can be founded if we succeed in decomposing the 
modulus which is the product of two large prime factors. 

Many authors have addressed the problem and currently the fastest known algorithms 
are Elliptic Curves Method [5], and Number Field Sieve [2]. In an exercise, Stinson [12], 
has evoked the possibility of factoring the RSA modulus if the two factors are too close. In 
1999, Boneh and al. [1] described a polynomial time algorithm for factoring n = p^q when 
the exponents r is large. More recently, in 2007, Coron an May [3] presented the first 
deterministic algorithm for factoring the RSA modulus in polynomial time but they used 
the public and the secret key pair (e, d). Our work consists on giving a simple algorithm 
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for factoring the RSA and the Rabin moduh in the particular case when the difference 
between the two prime factors is less than 2^ where k is the bit-size of the modulus. 
The paper is organised as follow: Section 2 is devoted to our main result. In section 
3 we discuss an extension but only in its theoretical aspect. We conclude in Section 4. 
Throughout the paper, we shall use standard notation. In particular N is the set of all 
natural integers 0, 1,2,3,... and N* = N — {0}. The largest integer which does not exceed 
the real x is denoted by [x\ . It is also the integer part and the floor of x. Thus we have 

[x\ < X < [xj + 1. The bit-size of a positive integer n is the number of bits in its binary 

fc-i 

representation. So, the bit-size oi n is k, ^ n — 2*ai with every Oj e {0, 1} and 

i=0 

2 Main Results 

We begin with a lemma that we shall use in the proof of our main theorem. 

Lemma 2.1 Let n, m be two elements of N* and let Un^ra denotes the number of perfect 
squares x"^ such that n < x"^ < m. Then we have: anm < — -7= + 1- 

Proof. Consider the set En = {x E N \ < n}. Since En is also {x G N | x < \^}, 
its cardinality is [y^J + 1 and then an,m = Lv^J ~ Lv^J • If P^^ k = [y^J and 
/ = ly/m\ , which means that k < y/n < k + 1 and I < ^/m < / -|- 1, we obtain / < ^/rn 
and —k < 1 — -v/n. Hence anm — l — k< ^/m — \/n -|- 1 = — ;= ;= -|- 1. 

Now we can move to the main theorem which allows us to compute efficiently the two 
prime factors p and q of an RSA or a Rabin modulus in a particular case. The proof of 
this theorem relies on the last lemma. 

Theorem 2.2 Let n be the modulus of an RSA or a Rabin cryptosystem whose bit-size 
is denoted by G N*. If its two prime factors p and q satisfy the inequality |p — §1 < 
then we can compute them efficiently 

Proof. First notice that the hypothesis of our theorem can exist in practice: for example 
when p and q are twin primes. Without loss of generality we can assume that 2 < p < q. 

As the factors p and q arc odd, we put q = p + 2i where i E N. Since n = pq ^ 
n + = {p + iy, the integer n -h is a perfect square bounded below by n and above 
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by n + 2^2~ because 2i = q — p < =^ i < 2^~. Let m = n + i . By the last 
lemma, the number q;„ ^ of perfect squares between n and m is satisfying the inequality 

< , V 1- We then deduce that a^^n < — 1= + 1 a-nd as k is the bits-size 

A/n + z2 + ' 2Vn 

of n, that OLn,m < — k=i + 1- Hence an,m < + 1 
2.2 2 2 2 

But Q!„^^ is a natural integer so an,m — 1- This means that n + = (p + i)^ is 

the only perfect square between n and n + . That is also the first perfect square 

greater than n and so no = L^A^J + 1- This allows us to compute the factors p and q : 

n + P — nl =^ n — (no + i)(no — i) =^ p — no — i and g = no + i This theorem leads 

to the following algorithm where comments are delimited by braces. 

Algorithm 

fc+5 

Input: A modulus n > with \p — q\ < 2~ . 

Output: The two prime factors p and q. 

(1) no \_\/n\ + 1 { no is the first integer square > n } 

(2) / ^ - n { / is an intermediate variable } 

(3) z ^ V7 { is a perfect square } 

(4) p ■<— no — i { We compute p and q } 

(5) g no + i 

(6) Output p and q. 



Example 2.3 Let try the method on the mythic example given by the authors of the RSA 
cryptosystem [11]. They took n = 2773, p — AH and q — 59. With the algorithm above 
we retrieve easily the two prime factors. Indeed the first integer square greater than n is 
nl = ([^J + 1)2 = 532 = 2809, so ng - n = 36 = 6^ = and then p = no - i = 47 and 
g = no-|-i = 53. Let check that p and q satisfy the condition in the theorem, n = 2773 
has k — 12 bits in its binary representation, thus 2^ = 2^v^ =^ |g — p| = 12 < 2^. 

On an other hand there exist integers for which we cannot apply the theorem. Take for 
example n = 1081. The first, integer square greater than n is ng = 1089, but ng — n = 8 
is not a perfect square. Here the hypothesis is not valid with the values p = 23, g = 47 
and A; = 11. Observe that when our method fails, it gives information on the two factors 
p and g, namely that they are not very close to each other. From the theorem we deduce 
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that some integers should be avoided as RSA or Rabin moduh. More precisely: 

Corollary 2.4. Let n — pq, p,q > 2 he the modulus of an RSA or a Rabin cryptosystem 

k 

which bit-size is denoted by A; e N*. Assume that p and q have the same bit-size — . If p 

k 

matches q on the — most significant bits, then we can compute the two prime factors p 
and q. 

Proof. We have in this situation: \q — p\ < 2* < 2~ 

3 Extension of the method 

The purpose of this section is to generalize our method. The extension is mainly of 
theoretical interest. However wc can compute factors by "factoring with a hint" [1], [2] or 
the help of an oracle. The following proposition shows that, when n = pq is the product 
of two unknown prime factors, if we can find a prime number r such that rp is close to q, 
and therefore rn is close to a perfect square, then we can compute p and q. The difficulty 
of factoring n directly, is transformed into the difficulty of computing this coefficient r. 
When this situation occurs, since r is an integer, the factors p and q must be unbalanced 
[6]. It seems that, in this case, classical algorithms are not very efficient. 

Proposition 3.1 Let ?7, G N* be the product of two prime factors p and q, 2 < p < q. If 
we can compute efficiently an odd integer r > 2 such that \q — rp\ < 2"^, where K is 
the bit-size of the integer rn, then we can compute the factors p and q. 

Proof. We put = rn, P = rp and Q = q. So N = PQ and as P and Q arc odd we 
assume that Q > P, and Q = P + 2L Using a technique like that in the proof of Theorem 
2.2 but with the new parameters A^, P, Q, K, I instead of n,p, q, k, i, we show that there 
is only one perfect square between N and N + 2^~ and it is the first square TVq greater 
than N. We have also: N — — P — {Nq — I){Nq-\- I). We wish to have p as a factor 
oi Nq — I and g as a factor of A^o + P Indeed, suppose that r = rir2with Nq — I — ri and 
Nq + I — r'ipq. We have: Nq — I — ri and Nq + I — r2pq ^ 21 — r2pq — r\ ^ q — rp — 
r2pq - ri =^ ri - rp = r2pq - q. 

This leads to a contradiction since ri — rp < and r2pq — q > 0. We conclude that p 
is a factor of iVo — / and g is a factor of iVo + / and then we can compute them 
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Example 3.2 Let n = 15211 (= 41 x 371). If we take r = 9, the first square A^q greater 
than rn = 136899 is 370^. So A',^ — rn = 1 and therefore rn = 369 x 371. By looking first 
for the factors of the artificial coefficient r = 9 we easily retrieve that p — 71 and q — 371. 

If the factors p and q are balanced which is the case in standard RSA and Rabin 
cryptosystems [6], we have the result: 

Proposition 3.3 Let n e N* be the product of two prime factors p and q, 2 < p < q. 

If we can compute efficiently two odd integers r, s such that s < p and \sq — rp\ < 
where K is the bit-size of the integer rsn, then we can compute the factors p and q. 

Proof. For simplicity we suppose that sq > rp. The same argumentation as in the proof of 
Proposition 3.1 shows that the first perfect square Nq greater than rsn, verify NQ—rsn — 
P where 21 = sq — rp. So rsn = {Nq — I){No + 1). Prom this decomposition let show that 
p is a factor of A^q — and q a factor of A^o + J and then its easy to compute them. Suppose 
that we have rs = uv with Nq — I = u and A'o + / = vpq. We then have 21 = vpq — u 
and thus sq — rp = vpq — u. This leads io u — rp — vpq — sq. But vpq — sq — q{yp — s) 
is positive; and v{u — rp) — uv — vrp — r{s — vp) is negative. Hence pq cannot divide 
No — I and therefore p is a factor oi Nq — I and q factor of A^*0 + /. 

Example 3.4 Let n = 24961 (= 109 x 229) as in an example from [7]. Here we cannot 
apply Theorem 2.2. If we take r = 23 and s = 11, the first square A^q greater than 
rsn = 3569423 is 2513^, and A'q — rsn = 62. So rsn — 2507 x 2519 and by decomposing 
each factor we retrieve p — 109 and q — 229. 

Our theoretical method can be extended in order to be applied for factoring any integer 
n. By the fundamental theorem of arithmetic, every positive integer n can be written as 
a product of primes. So it n can be made in the form n — fg, where / and g are two 
factors not necessary prime. If for one couple (/, g) the difference \g — f\ is not very large, 
then we can compute / and g. 

Proposition 3.5. Let n G N* be the product of two odd factors / and g, 2 < f < g. If 
we have \g — f\ < 2~ where k is the bit-size of the integer n, then we can compute the 
factors / and g. 

Proof. Similar to the proof of Theorem 2.2. 
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Example 3.6. Let n = 155227 (= 17 x 23 x 397). 

The first perfect square nf^ greater tlian n is 394^ and Uq — n = 3^. So n = 391 x 397. 

Tliere is an other interesting example with m — 2^°+^ + 1, ck e N. (see [4] for a — 53). 
The exponent is simply the double of odd integers. The first perfect square grater than m 
is ml = (22°+i + l)^. So mg-m = (2°+i)2, and therefore p = mo-2°^+i = 22°+i-2°+i + l 
and q — mo + 2°+^ = 2^°+^ + 2°+^ + 1. Observe that m is also a multiple of 5. 

The last result in this paper concerns integers n for which no couple of factors (/, g) 
verify 1^-/1 < 2~. In this case we use a coefficient r to correct the situation and work 
on the new integer rn before coming back to n and compute efficiently one of its factors. 
We formulate the idea in the next theorem: 

Theorem 3.7. Let n e N* be an odd integer. Assume that we can compute efficiently 
an odd integer r such that rn becomes the product of two factors / and g such that r < f 

fc+5 

(or r < g) and — /| < 2~ , where K is the bit-size of the integer rn, then we can 
compute a factor of n. 

Proof. Similar to the proof of Corollary 2.4. 

Example 3.8. Let n = 136793 (= 29 x 53 x 89). 

Here wc cannot apply Proposition 3.5. With r = 17 or (r = 49) wc have rn = 2325481. 
The first perfect square A^q greater than rn is 1525^ and A^q — rn— 12^. So rn = 1513 x 1537 
and by looking for the artificial coefficient r we find two factors of n namely / = 89 and 
g = 1537 

4 Conclusion 

We have described a, algorithm for factoring the RSA and the Rabin moduli in a particular 
case. This class of integers should be avoided in cryptographic applications. The algorithm 
does not use divisions. We need in the future to ameliorate the bound 2~, in order to 
include more prime factors. 

Furthermore, we have also discussed new ideas about integer factorization. The tech- 
nique is only theoretical but we beheve that it can lead to efficient algorithms for some 
classes of integers. We underline that in the case of the RSA cryptosystem, we did not 
use the knowledge of the public and secret key pair (e, d). 
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